A malicious document could lead to RCE in Apache OpenOffice (CVE-2021-33035)

Apache OpenOffice, one of the most popular open-source office productivity software suites, sports a RCE vulnerability (CVE-2021-33035) that could be triggered via a specially crafted document.

CVE-2021-33035

The vulnerability has been fixed in the software’s source code, but there is no official software version with the fix (though test build installers are available).

About CVE-2021-33035

CVE-2021-33035 was discovered by researcher Eugene Lim via fuzzing and source code review of Apache OpenOffice.

He started fuzzing a specific legacy file format (.dbf, i.e., the dBase database file format), supported by OpenOffice (but also by Microsoft Office and LibreOffice).

After finding exploitable crashes, he dove into OpenOffice’s DBF parsing code, and found the exploitable weakness: a buffer overflow flaw that could be exploited to bypass DEP and ASLR protections and achieve remote code execution.

He also found the same vulnerability in Scalabium dBase viewer (viewer software for dBase/FoxPro files).

Lim presented his findings at the HackerOne’s Hacktivity conference and documented his foray into vulnerability research in a blog post that could come in handy to other aspiring vulnerability researchers.

Fixing the flaw

Lim also reported his discoveries to the Apache OpenOffice project and the developer of Scalabium dBase viewer.

“While Scalabium dBase viewer was run by a single developer and could be resolved almost immediately, Apache OpenOffice took much longer,” he noted.

The Apache OpenOffice office has, over the years, been slow at pushing out fixes for security issues because it often found itself without development resources and release managers. In fact, last year the The Document Foundation – the developers of LibreOffice – published an open letter asking the Apache OpenOffice project to “endorse” LibreOffice and make users aware of it.

“The OpenOffice brand is still so strong, even though the software hasn’t had a significant release for over six years, and is barely being developed or supported,” they said.

“If Apache OpenOffice still wants to maintain its old 4.1 branch from 2014, sure, that’s important for legacy users. But the most responsible thing to do in 2020 is: help new users. Make them aware that there’s a much more modern, up-to-date, professionally supported suite, based on OpenOffice, with many extra features that people need.”

Lim himself has confirmed that LibreOffice does not have the discovered flaw.

Don't miss